Check out the documentation about login modules, JAAS and realms. That'll get you started. Oh, yes, you can use any database that you can set up a dataservice for.
remember one thing though. j2ee in general falls short when you want to do declarative authorization. for eg. if you're designing an application where certain people have certain privileges that are data-dependent you have to write security interceptors.